Building on the Lessons Learned from Hacking the Pentagon

As Secretary of Defense, my number one priority is making sure that the force of the future is just as great as the one today. That means we need to stay competitive and open to new ideas. And that is why one year ago, I created the Defense Digital Service (DDS), a group focused on bringing in talent from America’s most innovative sectors for a tour of duty at DoD to help us solve some of our most complex problems.

The team of technologists at DDS have achieved many important milestones, like improving data sharing between DoD and the VA, to make sure our veterans get access to their benefits. One of their most significant achievements to date was the launch of the Federal Government’s first bug bounty in April of this year.

Bug bounties are a widespread best practice in the outside world — and the concept is relatively simple. A company offers incentives to outside researchers — what most of us would call white-hat hackers — to test the security of its networks and applications, and report what they find, so the company can fix the vulnerabilities.

DoD’s first bug bounty, Hack the Pentagon, exceeded expectations. All told, more than 1,400 hackers were invited to participate in Hack the Pentagon and more than 250 submitted at least one vulnerability report. Of all the submissions we received, 138 were determined to be legitimate, unique, and eligible for a bounty.

By allowing outside researchers to find holes and vulnerabilities on several sites and subdomains, we freed up our own cyber specialists to spend more time fixing them than finding them. The pilot showed us one way to streamline what we do to defend our networks and correct vulnerabilities more quickly.

New Vulnerability Disclosure Policy

Today I signed a vulnerability disclosure policy covering all Department of Defense websites. For the first time, anyone who identifies a security issue on a DoD website will have clear guidance on how to disclose that vulnerability in a safe, secure, and legal way. This policy is the first of its kind for the Department. It provides left and right parameters to security researchers for testing for and disclosing vulnerabilities in DoD websites, and commits the Department to working openly and in good faith with researchers.

The Vulnerability Disclosure Policy is a ‘see something, say something’ policy for the digital domain.

DoD is committed to being open, engaged, and accepting of skilled researchers who can help us improve our defenses — and to providing the legal avenues for these security researchers to do so.

We hope that this policy will yield a steady stream of disclosures, allowing us to find and fix issues faster. The net effect is that the Department of Defense, our service members, and the public will be safer and more secure.

Hack the Army & Future Bug Bounties

Although the new vulnerability disclosure policy covers all DoD websites, we also want to sponsor focused challenges on specific networks and systems, so we are also launching more bug bounties. Today we opened registration for the Hack the Pentagon follow-on, called Hack the Army, which was first announced by Secretary of the Army Eric Fanning on November 11th. This challenge is focused on Army websites that support the recruiting mission, and it is the first of many more bounties to come.

Just as we did with Hack the Pentagon, we have contracted with HackerOne so we can reap the benefits of crowdsourced vulnerability discovery and disclosure. All DoD Components have the ability to leverage this contract to host their own bounties in the future.

Hack the Army represents a significant step forward from Hack the Pentagon in that the Army websites offered up to hackers will be more dynamic, rather than simply static websites that aren’t operationally significant. These sites are critical to the Army’s recruiting mission, and as a result must be hardened.

The full list of Army websites and databases that bug hunters will be allowed to hack under the program will be provided to all invited participants soon after. Participants who take part in this bug bounty are eligible to receive thousands of dollars in rewards.

The Vulnerability Disclosure Policy and Hack the Army initiatives underscore the Department’s commitment to innovation and adopting commercial best practices. DoD has focused on efforts to modernize our security and find ways to tap into sources of talent across the country.